b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n        PERSONALLY IDENTIFIABLE\n     INFORMATION MADE AVAILABLE\n         TO THE GENERAL PUBLIC\n      VIA THE DEATH MASTER FILE\n\n      June 2008   A-06-08-18042\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                             SOCIAL SECURITY\nMEMORANDUM\n\nDate:      June 4, 2008                                                                       Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   Personally Identifiable Information Made Available to the General Public Via the Death\n           Master File (A-06-08-18042)\n\n\n           OBJECTIVE\n\n           Our objective was to determine the extent to which publication of the Death Master File\n           (DMF) results in a breach of personally identifiable information (PII).\n\n           BACKGROUND\n\n           The Office of Management and Budget (OMB) defines PII as information that can be\n           used to distinguish or trace an individual\xe2\x80\x99s identity, such as their name or Social\n           Security number (SSN), alone, or when combined with other personal or identifying\n           information linked or linkable to a specific individual, such as date and place of birth. 1 A\n           heightened emphasis on PII protection has emerged as information technology and the\n           Internet have made it easier to collect and disseminate this information. PII can also be\n           exploited by criminals to stalk, or steal the identity of, a person or commit other crimes.\n\n           The expanded use of the SSN as a national identifier has given rise to individuals using\n           SSNs belonging to others for illegal purposes. Stolen SSNs have been used to gain\n           employment, obtain benefits and services, establish credit, and hide identities to\n           commit various types of crimes. Identity theft affects millions of Americans each year.\n           The Federal Trade Commission estimated total identity theft losses for businesses,\n           financial institutions, and consumer victims totaled over $50 billion in 2002. 2 Preventing\n           breaches of PII is essential to ensuring the Government retains the public\xe2\x80\x99s trust.\n           Consequently, the Social Security Administration (SSA) is responsible for safeguarding\n           PII in its possession. In May 2007, OMB issued a memorandum requiring that Federal\n\n\n           1\n               OMB Memorandum M-07-16, page 1, footnote 1, dated May 22, 2007.\n           2\n            FTC Releases Survey of Identity Theft in U.S. 27.3 Million Victims in Past 5 Years, Billions in Losses for\n           Businesses and Consumers, http://www.ftc.gov/opa/2003/09/idtheft.shtm, Federal Trade Commission,\n           Press Release, September 2003.\n\x0cPage 2 - The Commissioner\n\n\nagencies develop and implement a PII breach notification policy. 3 The memorandum\nreemphasizes Federal agency responsibilities to appropriately safeguard PII, outlines\nincident reporting and handling requirements, and identifies factors to consider in\ndetermining when notification outside the agency should be given. The memorandum\ndefined a breach as follows:\n\n          \xe2\x80\xa6to include the loss of control, compromise, unauthorized disclosure,\n          unauthorized acquisition, unauthorized access, or any similar term\n          referring to situations where persons other than authorized users and\n          for an other than authorized purpose have access or potential access\n          to personally identifiable information, whether physical or electronic.\n                                                                        4\n                 As a result of a Freedom of Information Act lawsuit, SSA maintains a\n The Death       record of reported deaths known as the DMF. The terms of the related\n Master File     consent judgment required that SSA make available to the Plaintiff, the\n                 SSN, surname, and date of death of deceased numberholders. As of\nJune 2007, the DMF database contained detailed information on more than 82 million\nnumberholders. SSA provides DMF data to the Department of Commerce\xe2\x80\x99s National\nTechnical Information Service (NTIS). NTIS, in turn, sells the DMF data to customers\nwe broadly categorize as follows: (1) Federal, State, and local government customers;\n(2) industry customers including financial, investigative, credit reporting, and medical\nresearch organizations; and (3) public customers, including genealogists, individuals,\netc. Customers can purchase the complete data file for $1,725 and subscribe to\nmonthly electronic updates for another $2,600. The electronic updates provide\nsubscribers with DMF additions, corrections, and deletions.\n\nCustomers use the DMF to verify identity as well as prevent fraud. By methodically\nrunning financial, credit, payment, and other applications against the DMF, users are\nbetter able to identify and prevent identity fraud. Further, some public customers\npurchase DMF information and make it available at no cost to the general public\nthrough the Internet.\n\nThe accuracy of death data is a highly sensitive matter for SSA. Erroneous death\nentries can lead to benefit termination, cause severe financial hardship and distress to\naffected individuals, and result in the publication of living individuals\xe2\x80\x99 PII in the DMF.\nWhen SSA becomes aware a death report was posted in error, SSA deletes the death\nentry from the DMF. Since January 2004, SSA has provided the Office of the Inspector\nGeneral electronic files containing all updates made to the DMF. These files indicate,\nfrom January 2004 through April 2007, SSA deleted over 44,000 numberholders\xe2\x80\x99 death\nentries from the DMF. We did not verify whether the 44,000 individuals were alive at\nthe time of our audit. However, SSA records indicated 20,623 of these individuals\nreceived SSA benefit payments in May 2007. The fact SSA paid benefits to individuals\n\n\n3\n    OMB M-07-16, supra.\n4\n    Perholtz v. Ross, Civ. No. 78-2385 and 78-2386 (D.D.C. - 1980).\n\x0cPage 3 - The Commissioner\n\n\nafter deleting their death entries indicates SSA determined the individuals were alive.\nOur review focused on these 20,623 individuals. (Additional background information is\nprovided in Appendix B.)\n\nRESULTS OF REVIEW\nSince January 2004, SSA\xe2\x80\x99s publication of the DMF has resulted in the breach of PII for\nmore than 20,000 living individuals erroneously listed as deceased on the DMF. SSA\nmade these individuals\xe2\x80\x99 SSNs; first, middle, and last names; dates of birth and death;\nand State and zip codes of last known residences available to users of the DMF before\nlearning they were not actually deceased. SSA attempted to retract these disclosures\nby deleting the individuals\xe2\x80\x99 information from the DMF. While these deletion transactions\nprevented the PII from being included in subsequent versions of the DMF, the deletions\nhad no effect on the PII previously made available to DMF subscribers. In some\ninstances, these individuals\xe2\x80\x99 PII remained available at the time of our audit for free\nviewing on the Internet. Public disclosure of living individuals\xe2\x80\x99 PII increases the\nopportunity for identity theft and subjects SSA to criticism from the affected individuals,\nthe public and Congress and could subject SSA to legal action. 5\n\nPUBLICATION OF THE DMF RESULTS IN PII BREACHES\n\nSSA inadvertently exposed the PII of thousands of living individuals through publication\nof the DMF. SSA publishes deceased numberholders\xe2\x80\x99 personal information in the\nDMF. From January 2004 through April 2007, SSA processed transactions to delete\nerroneous death entries appearing on more than 44,000 numberholders\xe2\x80\x99 SSA records.\nHowever, in many cases, these deletion transactions did not occur until after the\nindividual\xe2\x80\x99s PII was already exposed on the DMF. As of May 2007, SSA paid benefits\nto 20,623 of these numberholders, indicating SSA\xe2\x80\x99s acknowledgment the\nnumberholders were alive.\n\nThrough review of available data, we identified both the death entry addition and\ndeletion dates for 12,187 deletion transactions involving the 20,623 individuals in\n                        6\ncurrent payment status. In 90 percent of the cases where these data were available,\nSSA deleted these individuals\xe2\x80\x99 erroneous death entries within 1 year of input.\n\n\n\n\n5\n    5 U.S.C. \xc2\xa7 552a(g)(1)(D).\n6\n The remaining death entry addition dates were not recorded on available data files. We believed, but did\nnot verify, this occurred either because the death entry was recorded before we began receiving monthly\nDMF transaction files or SSA processed the deletion transaction after, but in the same month as, the\ndeath entry.\n\x0cPage 4 - The Commissioner\n\n\n                                Number of Months Between Input and\n                                 Deletion of Erroneous Death Entry\n\n\n\n\n                                            1-3\n                                      9,175 Transactions\n                                             (75%)\n\n\n\n\n                                                                      4-12\n                                                                1,787 Transactions\n                                          12 or More                   (15%)\n                                       1,225 Transactions\n                                              (10%)\n\n\n\nSSA\xe2\x80\x99s policies and procedures openly acknowledge the occurrence of death reporting\nerrors and state, \xe2\x80\x9cOccasionally, living individuals are erroneously included in the DMF\n                                                                  7\n(e.g., due to inaccurate death reports or inaccurate data input).\xe2\x80\x9d Because SSA\nrealizes it cannot guarantee the accuracy of information published in the DMF, it\nformally disclaims the accuracy of the DMF contents 8 and advises DMF\ncustomers/subscribers that not all information contained within is verified.\n\nBecause of the importance placed on privacy in the Social Security program, the first\nregulation adopted by the Social Security Board in June 1937 was Regulation\nNumber 1, 9 which, to date, governs the privacy and disclosure of Social Security\nrecords. The Social Security Board found that the public interest required that\nconfidential information in its possession, pertaining to any person, be preserved.\nAlthough SSA is aware it erroneously includes the PII of living individuals in the DMF, it\ncontinues to make the information available to the public. These actions not only\nappear to be contrary to Regulation 1, they also could cause the public to lose\nconfidence in SSA\xe2\x80\x99s ability to protect sensitive information and subject SSA to civil\nlitigation.\n\n\n\n\n7\n SSA, POMS GN 03316.095.A, Disclosure Without Consent to Recipients of the Death Master File (DMF)\nWhen Erroneous Death is Included on the DMF.\n8\n    Id.\n9\n    20 C.F.R. \xc2\xa7 401 et seq.\n\x0cPage 5 - The Commissioner\n\n\nDMF Deletion Transactions Did Not Remove PII from Public Domain\n\nSSA\xe2\x80\x99s efforts to delete erroneous death entries from the DMF did not effectively\nmitigate the exposure of living individuals\xe2\x80\x99 PII. We randomly selected 250 instances\nwhere SSA deleted living individuals\xe2\x80\x99 death entries from the DMF. In September 2007,\n4 to 43 months after SSA deleted the death entries, we searched at least one of the\nfollowing three Internet sites that make DMF information available to the public at no\ncharge to determine whether sampled individuals\xe2\x80\x99 PII remained accessible on the\nwebsite.\n\n\xe2\x80\xa2    Rootsweb.com\xe2\x80\x99s Social Security Death Index at http://ssdi.rootsweb.com/\n\n\xe2\x80\xa2    Genealogy.com\xe2\x80\x99s Social Security Death Index at\n     http://www.genealogy.com/genealogy/gen_ssdisearch.html\n\n\xe2\x80\xa2    Familysearch.org\xe2\x80\x99s Social Security Death Index at http://www.familysearch.org/ssdi/\n\nOur review revealed that months 10 after SSA deleted the information from the DMF, the\nPII of 71 (28 percent) of the sampled living numberholders remained available for\nviewing on at least one of the Internet web sites. SSA action to remove erroneous\ndeath entries from the DMF did not prevent continued breaches of affected individuals\xe2\x80\x99\nPII.\n\nSSA staff stated that all purchasers of the DMF who continually use its data are\nadvised, on the NTIS website, that it is mandatory that they keep their copy of the DMF\nup to date. SSA requires that they also purchase a subscription to the DMF updates\nand apply those updates. However, neither NTIS nor SSA enforced this requirement.\nSSA staff believed this oversight activity was an NTIS responsibility, particularly since\nNTIS receives all the fees associated with the sale of the DMF and from the update\nsubscriptions. However, NTIS staff stated it provided no user oversight because the\nDMF was exclusively an SSA product. As a result, DMF purchasers did not always\nappear to abide by the update requirements, and the PII of living individuals remained\npublicly available, even long after SSA deleted the erroneous death entries.\n\nBreach Notification Procedures Not Implemented When PII Exposed on the DMF\n\nSSA did not implement PII breach notification procedures after becoming aware it\nerroneously published living numberholders\xe2\x80\x99 PII on the DMF. Further, SSA did not\nnotify affected numberholders their PII was exposed on the DMF. OMB issued\nguidance requiring that Federal agencies report suspected or confirmed PII breaches to\n\n\n\n\n10\n  On average, the PII of these numberholders could be viewed on the Internet 30 months after SSA\ndeleted the death entry from the DMF.\n\x0cPage 6 - The Commissioner\n\n\nthe United States Computer Emergency Readiness Team (US-CERT) within 1 hour of\ndiscovery/detection. 11 This policy also outlines factors agencies should consider in\ndetermining when external breach notification should be given 12 and states\n\n          Notification of those affected and/or the public allows those individuals\n          the opportunity to take steps to help protect themselves from the\n          consequences of the breach. Such notification is also consistent with\n          the \xe2\x80\x9copenness principle\xe2\x80\x9d of the Privacy Act that calls for agencies to\n          inform individuals about how their information is being accessed and\n          used, and may help individuals mitigate the potential harms resulting\n          from a breach. 13\n\nSSA staff acknowledged the Agency does not implement any breach notification\nprocedures when living individuals\xe2\x80\x99 personal information is erroneously published in the\nDMF. SSA staff reported that, relative to the total number of deceased individuals on\nthe DMF (currently over 82.5 million) 20,000 DMF reporting errors represent an error\nrate of approximately .03 percent. SSA staff stated the DMF deletions discussed in the\nreport occurred from January 2004 through April 2007; however, the OMB PII breach\nnotification guidelines were not issued until May 2007.\n\nWe believe SSA\xe2\x80\x99s current practice is inconsistent with OMB guidance. For example,\nthe OMB guidance states \xe2\x80\x9c[t]he magnitude of the number of affected individuals may\ndictate the method(s) you choose for providing notification, but should not be the\n                                                                       14\ndetermining factor for whether an agency should provide notification.\xe2\x80\x9d SSA should\ndetermine whether breach notification is warranted in accordance with the factors set\nforth in OMB guidance in instances where it erroneously publishes living\nnumberholders\xe2\x80\x99 PII in the DMF.\n\nDetailed Personal Information Published on the DMF\n\nSSA discloses far more detailed personal information in the DMF than required under\nthe original consent judgment that resulted in the creation of the DMF. Under the terms\nof the agreement, SSA was to compile a list that identified deceased numberholders\xe2\x80\x99\nSSNs, surnames and dates of death. However, SSA expanded the information\npublished in the DMF to include the decedent\xe2\x80\x99s date of birth, first and middle name, and\nlast known residential state/zip code. According to SSA, the additional information\nbecame part of the DMF based on requests from subscribers. However, we could not\nconfirm this because SSA did not maintain any supporting documentation.\n\n\n\n11\n     OMB M-07-16, supra, Attachment 2 \xc2\xa7 B.1. at page 10.\n12\n     OMB M-07-16, supra, Attachment 3 at page 12.\n13\n     OMB M-07-16, supra, Attachment 3 \xc2\xa7 A.3. at page 12.\n14\n     OMB M-07-16, supra, Attachment 3 \xc2\xa7 B.1b. at page 14.\n\x0cPage 7 - The Commissioner\n\n\nIn Memorandum M-07-16, Safeguarding Against and Responding to the Breach of\nPersonally Identifiable Information, OMB directs agencies to reduce the volume of PII to\nthe minimum necessary for the proper performance of a documented agency function,\nand to reduce the use of SSNs and to explore alternatives for use of SSNs as personal\n            15                        16\nidentifiers. The Social Security Act (Act) prohibits SSA from disclosing a person\'s\ndeath for purposes other than those enumerated in the Act if SSA\'s only source of that\ninformation was the State Death Match program. However, the Act allows, under\ncertain circumstances, for SSA to share this restricted information with Federal and\n                 17\nState agencies. In these cases, SSA provides death information to other government\nagencies but does not publish death information in the public version of the DMF.\nFurther restricting the amount of detailed personal information included in the DMF\nwould reduce PII exposure\xe2\x80\x94particularly in instances where living individuals\xe2\x80\x99\ninformation is erroneously included\xe2\x80\x94while allowing for the continued legitimate use of\nthe valid death information.\n\nCONCLUSION AND RECOMMENDATIONS\nSSA\xe2\x80\x99s publication of the DMF resulted in the erroneous disclosure of thousands of living\nindividuals\xe2\x80\x99 PII. SSA\xe2\x80\x99s attempts to mitigate these PII breaches were not always\neffective in removing the PII from the public domain. SSA did not notify either\nUS-CERT or the affected individuals upon learning the Agency had erroneously\nincluded living individuals\xe2\x80\x99 PII in the DMF. Further, SSA discloses far more detailed\npersonal information in the DMF than required by the consent agreement that resulted\nin the creation of the DMF. With the growing use of the Internet\xe2\x80\x94and the public and\nCongress\xe2\x80\x99 concerns with identity theft and the disclosure of personal information\xe2\x80\x94SSA\nmust prevent the improper disclosure of PII by ensuring the DMF does not contain the\nPII of living individuals before making the information available to the general public.\n\nPublication of the DMF involves the inherent risk living individuals\xe2\x80\x99 PII will be mistakenly\nbreached. If SSA continues to publish the DMF with the knowledge its contents cannot\nbe guaranteed as accurate and contain the PII of living numberholders, we recommend\nSSA:\n\n1. Work with the Department of Commerce to implement a risk-based approach for\n   distributing DMF information. For example, SSA could request that NTIS delay\n   release of DMF updates to public customers by at least 1 year to give SSA time to\n   correct most, if not all erroneous death entries.\n\n2. Limit the information included in the DMF version sold to public customers to the\n   absolute minimum required and explore alternatives to inclusion of the full SSN.\n\n\n15\n     OMB M-07-16, supra, Attachment 1 \xc2\xa7\xc2\xa7 B.1.a. at page 6 and B.2.a. and b at page 7.\n16\n     The Social Security Act \xc2\xa7 205(r)(6), as amended, 42 U.S.C \xc2\xa7 405(r)(6).\n17\n     The Social Security Act \xc2\xa7\xc2\xa7 205 (r)(3)-(5), as amended, 42 U.S.C. \xc2\xa7\xc2\xa7 405(r)(3)-(5).\n\x0cPage 8 - The Commissioner\n\n\n3. Initiate required breach notification evaluation procedures, in accordance with OMB\n   guidance, upon notification that SSA mistakenly included living individuals\xe2\x80\x99 PII in the\n   DMF.\n\n4. Provide appropriate notification, as determined by applying OMB guidance, to living\n   individuals whose PII was released in error, and advise them to take appropriate\n   steps to prevent further compromise of their personal information.\n\nAGENCY COMMENTS\nSSA agreed in general with Recommendations 1, 3, and 4, and stated it would consider\nimplementing Recommendation 2. SSA recognizes the undue hardship individuals may\nexperience when their personal information is erroneously compromised and is fully\ncommitted to finding ways to reduce any risk of PII exposure. SSA also stated it must\nbalance these hardships against potential economic impact further restrictions on DMF\ninformation could have on public and private users. Further, SSA stated it faces\nseveral challenges to limiting the DMF information it provides. SSA stated that, in\nApril 2008, it convened a task force to identify options to improve the death reporting\nprocess. SSA\xe2\x80\x99s comments are included in Appendix D.\n\nOn May 14, 2008, the Office of the Chief Information Officer informed us that SSA\nrecently submitted a list to US-CERT identifying thousands of names erroneously\nincluded in the DMF. In addition, SSA provided US-CERT a separate list with the\nnames of hundreds of individuals whose erroneous death entries were removed from\nthe DMF the previous week.\n\nOIG RESPONSE\n\nWe appreciate SSA\xe2\x80\x99s agreement with Recommendations 1, 3, and 4 and its\nconsideration to implement Recommendation 2. We encourage SSA to address these\nissues as expeditiously as possible. In addition to responding to the recommendations,\nSSA also provided technical comments and we incorporated these as we believed\nappropriate.\n\n\n\n\n                                                Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Background\nAPPENDIX C \xe2\x80\x93 Scope and Methodology\nAPPENDIX D \xe2\x80\x93 Agency Comments\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                      Appendix A\n\nAcronyms\nAct       Social Security Act\nDMF       Death Master File\nNTIS      National Technical Information Service\nOMB       Office of Management and Budget\nPII       Personally Identifiable Information\nPOMS      Program Operations Manual System\nSSA       Social Security Administration\nSSN       Social Security Number\nU.S.C.    United States Code\nUS-CERT   United States Computer Emergency Readiness Team\n\x0c                                                                                Appendix B\n\nBackground\nAs depicted below, the Social Security Administration (SSA) receives most death\nreports from funeral homes or friends/relatives of the deceased. SSA considers such\nfirst-party death reports to be verified and immediately posts them to the Death Master\nFile (DMF).\n                               SSA SOURCES FOR DEATH REPORTS\n\n\n             Friends, Relatives,\n             and Funeral Homes\n                   (90%)\n\n\n\n\n                                         Federal and   Postal Authorities and\n                                      State Agencies   Financial Institutions\n                                                (5%)   (5%)\n\n\n\nOther sources of death reports include States and other Federal agencies as well as\nPostal authorities and financial institutions. SSA immediately posts non-beneficiary\ninformation received from these sources to the DMF without verification. However, if\nthese reports indicate an SSA beneficiary died, SSA requires additional verification\nbefore terminating benefits or posting the death entry to the DMF. 1 Verification of death\nmeans that a reporter (usually someone in the person\'s home, a representative payee,\na nursing home, a doctor, or hospital) agrees the person is deceased and, if the date of\n                                                            2\ndeath is an issue, corroborates the reported date of death.\n\n\n\n\n1\n    SSA POMS, GN 02602.050A, Processing Reports of Death.\n2\n    SSA POMS, GN 02602.050A.2.\n\x0c                                                                      Appendix C\n\nScope and Methodology\nTo accomplish our objective, we:\n\n\xe2\x80\xa2   Reviewed Federal laws on disclosure of personal information.\n\n\xe2\x80\xa2   Reviewed Office of Management and Budget guidance on Safeguarding Against\n    and Responding to the Breach of Personally Identifiable Information as well as the\n    Social Security Administration\xe2\x80\x99s (SSA) policies and procedures related to erroneous\n    death terminations and release of personally identifiable information.\n\n\xe2\x80\xa2   Interviewed SSA Systems and Operations staff to discuss procedures used to\n    remove an erroneous death entry from a wage earner\xe2\x80\x99s record.\n\n\xe2\x80\xa2   Interviewed the Department of Commerce\xe2\x80\x99s National Technical Information Service\n    (NTIS) staff to discuss NTIS\xe2\x80\x99 role in selling and distributing the Death Master File\n    (DMF).\n\n\xe2\x80\xa2   Analyzed 46,035 instances where SSA removed death entries from the DMF during\n    the period January 2004 through April 2007. We identified 21,213 deletions from\n    the DMF (representing 20,623 numberholders) for beneficiaries/recipients who were\n    receiving benefits as of April and May 2007.\n\n\xe2\x80\xa2   Analyzed time between the addition to the DMF and the deletion from the DMF for\n    12,187 of 21,213 resurrection transactions (death entry addition dates were not\n    recorded on available data files for the remaining 9,026 cases).\n\n\xe2\x80\xa2   In September 2007, we selected a random sample of 250 of the 21,213 resurrection\n    transactions. For each sampled individual, we searched free Internet web sites to\n    determine if the living beneficiaries\xe2\x80\x99 personal identifying information could be\n    viewed.\n\nWe performed our audit from August through October 2007 at SSA\xe2\x80\x99s Regional Office in\nDallas, Texas. We did not test the general or application controls of SSA systems that\ngenerated electronic data used for this audit. Instead, we performed other validation\ntests and found the data to be sufficiently reliable to meet our audit objectives. The\nentity audited was the Office of the Deputy Commissioner for Operations. We\nconducted this audit in accordance with generally accepted government auditing\nstandards.\n\x0c                  Appendix D\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\n\nMEMORANDUM\n\n\nDate:      May 6. 2008                                                           Refer To:   S1J-3\n\nTo:        Patrick P. O\'Carroll, Jr.\n           Inspector General\n\nFrom:      David V. Foster /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cPersonally Identifiable Information Made\n           Available to the General Public Via the Death Master File\xe2\x80\x9d (A-06-08-18042)-- INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our response to the report findings and\n           recommendations are attached.\n\n           Please let me know if we can be of further assistance. Staff inquiries may be directed to\n           Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at extension 54636.\n\n           Attachment:\n           SSA Response\n\n\n\n\n                                                         D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, "PERSONALLY IDENTIFIABLE INFORMATION MADE AVAILABLE TO\nTHE GENERAL PUBLIC VIA THE DEATH MASTER FILE" (A-06-08-18042)\n\n\nThank you for the opportunity to review and comment on the draft report. We fully recognize\nthe undue hardship that individuals may experience when their personal information is\nerroneously compromised. We are therefore fully committed to find ways to reduce any risk of\nPII exposure. As we assess this issue, we strongly caution the OIG against releasing this report\npublicly. We believe limited distribution would be more responsible. We recognize that this\ninformation may already be known to some, but this report highlights the issue and could\nencourage misuse.\n\nAs we strive to ensure the accuracy of the information we receive, we must also comply with our\nresponsibility to satisfy the Perholtz court order. The Perholtz case, a Freedom of Information\nAct (FOIA) lawsuit, resulted in a consent judgment that required us to make available the full\nSSN, surname, and date of death of deceased number holders, thus creating the Death Master\nFile (DMF). Oversight organizations and Congress later recognized the immense value of the\nDMF in preventing fraud and erroneous payments, by sharing the information of deceased\nindividuals. As you cite in your report, identity theft costs businesses, financial institutions and\nconsumer victims more than $50 billion in a single year. The DMF is an extremely effective tool\nthat saves many public and private entities billions of dollars each year.\n\nWe have already begun in depth analysis to pinpoint the size of the PII exposure problem and the\nsource of erroneous data. We have found that the DMF is 99.59 percent accurate. Of 2.5 million\ndeath reports added each year, the DMF reflects approximately 9,000 of these are erroneous\ncases, an error rate of .0041, or less than one half of one percent. A nation-wide implementation\nof the Electronic Death Registration (EDR) process would eliminate the vast majority of these\nerroneous reports.\n\nEDR is a fully automated data exchange that allows states to transmit death reports directly to\nSSA. EDR has slowly expanded on a state by state basis over the past four years, and currently\n23 states/jurisdictions participate. EDR transactions are virtually error free. Generally, it takes\nabout two years for a State to fully rollout the process state-wide. EDR nation-wide roll-out is\ncontingent on Congressional funding of the Department of Health and Human Services (HHS) so\nthat they in turn can fund States through a grant process. The Intelligence Reform and Terrorist\nPrevention Act of 2004 transferred the funding of EDR to HHS. To date, the lack of funding has\nbeen the main barrier to full expansion.\n\nHowever, we are not waiting for the nation-wide roll-out to address this small but critical error\nrate. We have been striving to close the very small but important error rate in the DMF by other\nmeans. We know that the primary source of error in the DMF is manual inputs done in our field\noffices and teleservice centers. Of an approximate 1.5 million death reports manually input,\nerrors result on about 7,000 inputs. Although the overall accuracy rate on these manual inputs is\nstill over 99.5%, we have sought ways to prevent all error. In July 2007, we implemented a\n\n\n                                                D-2\n\x0ccomputer screen alert, as a double check for our employees to ensure they are taking the proper\naction. We also issued clearer instructions and conducted training sessions. We have seen a\nsignificant reduction in error as a result of that change. We are also looking closely at several\nadditional systems enhancements that could potentially tighten our field office and teleservice\nprocesses to reduce error. While we are eager to find and pursue any other methods to further\nensure accuracy, it is difficult to eliminate all error in a manual system. To reiterate, EDR would\nbe the most effective solution.\n\nRecommendation 1\n\nWork with the Department of Commerce to implement a risk-based approach for distributing\nDMF information. For example, we could request that the National Technical Information\nService delay release of DMF updates to public customers by at least 1 year to give us time to\ncorrect most, if not all erroneous death entries.\n\nResponse\n\nWe agree to explore any possible risk-based options for distributing DMF information. We also\nagree, as noted in your report that we should seek ways to ensure that purchasers and users of the\nDMF keep their file up to date.\n\nWhile we are willing to explore options, we believe that any delay in release of the DMF will\ncause significant economic hardship to public and private entities and impede their ability to\ndeter fraud, waste and abuse. A 2001 GAO audit noted that \xe2\x80\x9ctimely receipt of death information\nand prompt updating of financial data are key factor\xe2\x80\x99s in the financial industry\xe2\x80\x99s ability to\nprevent fraud and identity theft involving the SSN\xe2\x80\x99s of deceased individuals.\xe2\x80\x9d That GAO report\nrecommended that SSA distribute the DMF more frequently to help entities to prevent fraud and\nidentity theft. (See GAO 2001 audit "Observations on Improving the Distribution of Death\nInformation". http://www.gao.gov/new.items/d02233t.pdf.) We now release updates weekly.\n\nFurther, there have been numerous individuals who have testified before Congress regarding the\nimportance of the DMF. In 2001, the Financial Services Coordinating Committee, or FSCC,\ntestified. FSCC represents the largest and most diverse group of financial institutions in the\ncountry, including the American Bankers Association, American Council of Life Insurers,\nAmerican Insurance Association, Investment Company Institute, and Securities Industry\nAssociation. FSCC noted that, \xe2\x80\x9cA key method for preventing fraud and identity theft due to the\nmisuse of a SSN is to identify the fraudulent use of a deceased individual\xe2\x80\x99s SSN. The linchpin of\nthis prevention effort is the SSA\xe2\x80\x99s DMF.\xe2\x80\x9d\nhttp://waysandmeans.house.gov/Legacy/socsec/107cong/11-8-01/11-8duge.htm\n\nAlso, any delay in the DMF would likely prompt organizations to request the information under\nthe Freedom of Information Act (FOIA). We are required to respond to FOIA requests within 20\nbusiness days.\n\n\n\n\n                                                D-3\n\x0cRecommendation 2\n\nLimit the information included in the DMF version sold to public customers to the absolute\nminimum required and explore alternatives to inclusion of the full SSN.\n\nResponse\n\nWe are considering limiting the information included in the DMF version sold to the public to\nthe absolute minimum required. We will also explore alternatives to the use of the full SSN.\n\nWe face several challenges to limiting the information we provide. First, we believe there is a\nstrong likelihood of litigation under FOIA if we were to reduce the amount of information\ncurrently on the DMF. If we removed any data from the DMF, any FOIA requester could seek to\nhave it included again. Without valid legal basis to withhold under FOIA, we would again be\nfaced with the need to add the information or face litigation. Also, limiting the DMF to\nminimum numbers of data elements would greatly reduce its utility for fighting identity theft and\nfraud. Failure to supply the full SSN for individuals on the DMF would negate the positive cost-\nsaving results achieved by many public and private entities.\n\nThere are additional challenges we face with regard to finding an alternative to the SSN. First,\nwe are bound by a consent decree which requires us to include the full SSN. Second, the users of\nthe DMF rely on the SSN to match our records with theirs.\n\nRecommendation 3\n\nInitiate required breach notification evaluation procedures, in accordance with the Office of\nManagement and Budget\xe2\x80\x99s (OMB) guidance, upon notification that we mistakenly included\nliving individuals\xe2\x80\x99 PII in the DMF.\n\nResponse\n\nThis is a unique and complex issue. While we recognize the small percentage of error in the\nDMF, we are concerned with the characterization of those errors as \xe2\x80\x9cPII breaches.\xe2\x80\x9d Nonetheless,\nwe will take a cautious approach and initiate breach notification evaluation procedures in\naccordance with OMB guidance.\n\nFor many years, SSA, GAO, OIG, electronic privacy advocacy groups and other oversight\nentities have fully understood that the DMF contains a small degree of error. In fact, SSA\nspecifically requires that a disclaimer accompany the distribution of DMF as follows, \xe2\x80\x9cSSA\ncannot guarantee the accuracy of the DMF. Therefore, the absence of a particular person on this\nfile is not proof that the individual is alive. Further, in rare instances it is possible for the\nrecords of a person who is not deceased to be included erroneously in the DMF.\xe2\x80\x9d To the best of\nour knowledge, none of these entities had characterized the DMF errors as a PII breach prior to\n\n\n\n\n                                               D-4\n\x0cthis audit report. To the contrary, these entities have repeatedly highlighted the importance of the\nDMF as a tool to prevent fraud, abuse and billions of dollars in erroneous payments annually (see\nGAO report cited in response 1 above).\n\nIn addition, to the best of our knowledge, no case of fraud or abuse has occurred as a result of\nerrors in the DMF. This may be largely due to the fact that living persons erroneously placed in\nthe DMF are reported as being deceased. Therefore, it is difficult for identity thieves to\ndistinguish these records from other deceased individuals in the DMF. It would also be difficult\nto abuse that PII because banks, credit bureaus and other agencies would block activity on that\nparticular SSN, assuming the individual to be deceased. Further, when an individual notifies\nSSA that our records reflect an erroneous death, we take immediate action to correct our records\nand the DMF.\n\nIn April 2008, we convened a task force to identify options to further improve the death reporting\nprocess. This task force is assessing the notification and remediation practices under OMB\nguidelines. Meanwhile, we will continue to release the DMF weekly, despite the small error rate\nbecause any delay in the release of the DMF would impede private and public organizations\xe2\x80\x99\nability to prevent fraud, abuse and billions of dollars in erroneous payments.\n\nRecommendation 4\n\nProvide appropriate notification, as determined by applying OMB guidance, to living individuals\nwhose PII was released in error, and advise them to take appropriate steps to prevent further\ncompromise of their personal information.\n\nResponse\n\nWe agree that the Agency will apply the OMB guidance and provide notification as appropriate,\nbased on the OMB guidance. We currently provide notice to individuals when we make a death\nstatus correction in our records and in the DMF.\n\n\n\n\n                                                D-5\n\x0c                                                                       Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n   Ron Gunia, Director, Dallas Audit Division, (214) 767-6620\n\n   Jason Arrington, Audit Manager, (214) 767-1321\n\nAcknowledgments\nIn addition to those named above:\n\n   Clara Soto, Senior Auditor\n\n   Erica Turon, Senior Analyst\n\n   Brennan Kraje, OIG Statistician\n\n   Chuck Zaepfel, Information Technology Specialist\n\nFor additional copies of this report, please visit our web site at www.ssa.gov/oig or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Specialist at (410) 965-3218.\nRefer to Common Identification Number A-06-08-18042.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Chief Counsel to the Inspector General (OCCIG), Office of External Relations (OER), and\nOffice of Technology and Resource Management (OTRM). To ensure compliance with policies and\nprocedures, internal controls, and professional standards, the OIG also has a comprehensive Professional\nResponsibility and Quality Assurance program.\n                                                 Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                           Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                        Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                          Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'